You are reading an unmaintained version of the Ansible documentation. Unmaintained Ansible versions can contain unfixed security vulnerabilities (CVE). Please upgrade to a maintained version. See the latest Ansible documentation.

community.hrobot.firewall – Manage Hetzner’s dedicated server firewall

Note

This plugin is part of the community.hrobot collection (version 1.2.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.hrobot.

To use it in a playbook, specify: community.hrobot.firewall.

Synopsis

• Manage Hetzner’s dedicated server firewall.

• Note that idempotency check for TCP flags simply compares strings and doesn’t try to interpret the rules. This might change in the future.

Requirements

The below requirements are needed on the host that executes this module.

• ipaddress

Parameters

Parameter	Comments
allowlist_hos aliases: whitelist_hos boolean	Whether Hetzner services have access. Choices: no yes
hetzner_password string / required	The password for the Robot webservice user.
hetzner_user string / required	The username for the Robot webservice user.
port string	Switch port of firewall. Choices: main ← (default) kvm
rules dictionary	Firewall rules.
input list / elements=dictionary	Input firewall rules.
action string / required	Action if rule matches. Choices: accept discard
dst_ip string	Destination IP address or subnet address. CIDR notation.
dst_port string	Destination port or port range.
ip_version string / required	Internet protocol version. Note that currently, only IPv4 is supported by Hetzner. Choices: ipv4 ipv6
name string	Name of the firewall rule.
protocol string	Protocol above IP layer
src_ip string	Source IP address or subnet address. CIDR notation.
src_port string	Source port or port range.
tcp_flags string	TCP flags or logical combination of flags. Flags supported by Hetzner are syn, fin, rst, psh and urg. They can be combined with | (logical or) and & (logical and). See the documentation for more information.
server_ip string / required	The server’s main IP address.
state string	Status of the firewall. Firewall is active if state is present, and disabled if state is absent. Choices: present ← (default) absent
timeout integer	Timeout (in seconds) for waiting for firewall to be configured. Default: 180
update_timeout integer	Timeout to use when configuring the firewall. Note that the API call returns before the firewall has been successfully set up. Default: 30
wait_delay integer	Delay to wait (in seconds) before checking again whether the firewall has been configured. Default: 10
wait_for_configured boolean	Whether to wait until the firewall has been successfully configured before determining what to do, and before returning from the module. The API returns status in progress when the firewall is currently being configured. If this happens, the module will try again until the status changes to active or disabled. Please note that there is a request limit. If you have to do multiple updates, it can be better to disable waiting, and regularly use community.hrobot.firewall_info to query status. Choices: no yes ← (default)

See Also

See also

Firewall documentation

Hetzner’s documentation on the stateless firewall for dedicated servers

community.hrobot.firewall_info

Retrieve information on firewall configuration.

Examples

- name: Configure firewall for server with main IP 1.2.3.4
  community.hrobot.firewall:
    hetzner_user: foo
    hetzner_password: bar
    server_ip: 1.2.3.4
    state: present
    allowlist_hos: yes
    rules:
      input:
        - name: Allow everything to ports 20-23 from 4.3.2.1/24
          ip_version: ipv4
          src_ip: 4.3.2.1/24
          dst_port: '20-23'
          action: accept
        - name: Allow everything to port 443
          ip_version: ipv4
          dst_port: '443'
          action: accept
        - name: Drop everything else
          ip_version: ipv4
          action: discard
  register: result

- ansible.builtin.debug:
    msg: "{{ result }}"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Description
firewall dictionary	The firewall configuration. Returned: success
allowlist_hos boolean added in 1.2.0 of community.hrobot	Whether Hetzner services have access. Returned: success Sample: true
port string	Switch port of firewall. main or kvm. Returned: success Sample: “main”
rules dictionary	Firewall rules. Returned: success
input list / elements=dictionary	Input firewall rules. Returned: success
action string	Action if rule matches. accept or discard. Returned: success Sample: “accept”
dst_ip string	Destination IP address or subnet address. CIDR notation. Returned: success Sample: “1.2.3.4/32”
dst_port string	Destination port or port range. Returned: success Sample: “443”
ip_version string	Internet protocol version. Returned: success Sample: “ipv4”
name string	Name of the firewall rule. Returned: success Sample: “Allow HTTP access to server”
protocol string	Protocol above IP layer Returned: success Sample: “tcp”
src_ip string	Source IP address or subnet address. CIDR notation. Returned: success
src_port string	Source port or port range. Returned: success
tcp_flags string	TCP flags or logical combination of flags. Returned: success
server_ip string	Server’s main IP address. Returned: success Sample: “1.2.3.4”
server_number integer	Hetzner’s internal server number. Returned: success Sample: 12345
status string	Status of the firewall. active or disabled. Will be in process if the firewall is currently updated, and wait_for_configured is set to no or timeout to a too small value. Returned: success Sample: “active”
whitelist_hos boolean	Whether Hetzner services have access. Old name of return value allowlist_hos, will be removed eventually. Returned: success Sample: true

Authors

• Felix Fontein (@felixfontein)